Re: Florian Weimer 2016-10-28 <87r3708aah....@mid.deneb.enyo.de> > * Christoph Berg: > > > More details: > > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483 > > Why do you consider this a security issue? Do you consider it an > availability issue? > > I'm a bit confused why this shows up as a userspace allocation > failure. glibc should switch to mmap (creating another arena) if sbrk > fails. I thought we had logic for that in malloc, but the whole code > is kind of convoluted, so it is difficult to be sure.
For PostgreSQL, it's an availability issue. Any user can create the following function: (this is the exact failing reason for [1]) create function infinite_recurse() returns int as 'select infinite_recurse()' language sql; select infinite_recurse(); [1] https://buildd.debian.org/status/logs.php?pkg=postgresql-9.6&ver=9.6.1-1 Without ASLR, or on 64 bit, or with the fix in place, PostgreSQL will correctly detect that the stack is overflowing the default max_stack_depth of 2MB, and will safely abort the query. With the bug, heap and stack are overwriting each other even before 2MB stack have been consumed (or the 8MB default stack ulimit has been reached), leading to a segfault, presumably because the heap is trapping into the stack guard page, or something like that. In the past we fixed in PostgreSQL that by not enabling PIE on 32bit, but with PIE enabled by default, we will have to switch to actively disabling it. I think this is also exploitable because it would allow heap accesses to write to the stack if both get so close. (Iirc the memory layout at the time of the crash doesn't even have a guard page at the end of the stack anymore, but that needs closer inspection.) Mit freundlichen Grüßen, Christoph Berg -- Senior Berater, Tel.: +49 2166 9901 187 credativ GmbH, HRB Mönchengladbach 12080, USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer pgp fingerprint: 5C48 FE61 57F4 9179 5970 87C6 4C5A 6BAB 12D2 A7AE
signature.asc
Description: PGP signature
